How secure is secure? And who says so?

Dissidents around the world depend upon security software to protect themselves from hostile government surveillance

At the end of July, security researcher Christopher Soghoian made an impassioned plea: Tech journalists: Stop hyping unproven security tools. He cited the praise heaped upon Haystack, an encryption product produced by Austin Heap, “a San Francisco software developer, who the Guardian described as a ‘tech wunderkind’ with the ‘know-how to topple governments’.” Newsweek said that Heap had “found the perfect disguise for dissidents in their cyberwar against the world’s dictators.”

But, said Soghoian, when Jacob Appelbaum got hold of a copy and analyzed it, “The results were not pretty -- he described it as ‘the worst piece of software I have ever had the displeasure of ripping apart’.” More recently Soghoain is concerned about the virtually unfettered praise of Copycat. Wired headlines a story, “This Cute Chat Site Could Save Your Life and Help Overthrow Your Government.” But Soghoain points out that “several prominent experts in the security community have criticized the web-based version of Cryptocat. These critics include Thomas Ptacek, Zooko Wilcox-O'Hearn, Moxie Marlinspike and Jake Appelbaum.”

It’s a serious issue. Dissidents around the world depend upon security software to protect themselves from hostile government surveillance – and it’s only natural that they should turn to the press for ideas. But journalists are, in general, experts on what makes a story – not what makes secure software. Soghoian’s plea to journalists is simple: “When a PR person retained by a new hot security startup pitches you, consider approaching an independent security researcher or two for their thoughts.”

Steganos Software is not a new company. It’s been around for some time, and has well-respected products. But when Infosecurity heard about its new VPN, OkayFreedom, it decided to approach an independent security expert. Steganos says of the product, “Access websites blocked in your country;” “Surf the Net anonymously,” and “Protect your privacy on the internet.”

Infosecurity asked Christopher Soghoian for his thoughts on looking at new VPN products. “There are two things to consider here,” he said. “Are the data retention policies of the VPN service good or not (where good = privacy protecting), and how can we be sure that the VPN service actually follows the stated retention policies?” He points to HideMyAss, a UK-based VPN company that handed over information on LulzSec users leading to their arrest. There seems to be little point in using a service to hide from your government (whichever one it happens to be) if the service provider hands over your information.

In this instance Soghoian says that Steganos has excellent retention policies, but that “there is absolutely no way to know that they have actually implemented this policy. At the end of the day, you are taking them on their word.” In the final analysis, this applies to much of the security software we rely on. “However,” he added, “it is worth noting that Germany has pretty strong privacy laws, and very active regulation by privacy commissioners, so if any evidence is uncovered suggesting that these guys are lying about their retention policies, I imagine that regulators could throw the book at them.”